LMI is seeking an Splunk/Arcsight Specialist to support Program Manager (PM) Army Enterprise Systems Intergration Program (AESIP) located in Fort Belvoir, VA.
LMI is a government consulting firm, dedicated exclusively to advancing the management of the government. As a not-for-profit company, we deliver the best value for the government dollar as all revenues are directed to our mission of advancing government rather than to delivering shareholder value. We operate completely free of political and commercial bias, and we are entirely aligned with the goals of our clients. Our clients value our not-for-profit status and specialized services in logistics, intelligence, homeland security, health care, and energy and environment markets.
* Support current ArcSight solution and lead efforts to migrate to Splunk in the enterprise
* Design and implement technical infrastructure based on functional requirements for new and existing Splunk instances; determine log types and anticipated log volumes to ensure adequate capacity
* Administers, maintains, upgrades, operates, advises and cross-trains team members on the operation of the Splunk platform
* Work with cybersecurity, application, and infrastructure teams to prepare for, implement, and validate log migrations from legacy systems to Splunk
* Works with cybersecurity, application, and infrastructure teams to gather requirements, perform troubleshooting, and provide assistance with the creation of Splunk search queries and dashboards
* Integrates existing automation, application and monitoring systems into Splunk
* Partners with cybersecurity, application, and infrastructure teams to facilitate log ingestion and analysis
* Involved in requirements gathering, prototyping, architecting, building and triaging or fixing operational issues
* Maintain all Splunk related documentation including design/architecture, policies, processes, guides and SOPs
* Work with internal and external stakeholders to continuously monitor enterprise environment, identifying potential risks and security control gaps
* Coordinate efforts related to ingesting application logs from application owners; from initial contact to validation of ingestion and use case development
* Work with cybersecurity, application, and infrastructure teams to understand and document current logging stances
* Work with cybersecurity, application, and infrastructure teams to ensure application logging is commensurate with corporate minimum security baseline policies
* Work with cybersecurity, application, and infrastructure teams to develop potential use cases for data ingested and develop alerting requirements for anomalous activity
* Assist with modifying/creating rules to determine that rules are structured correctly and executing as intended.
* Leverage the existing ArcSight efforts to provide support in applying solutions to other environments. For example, we would need advice on the solution to connect reports from the operating system (OS), database (DB), and application into the ArcSight tool. Also, provide advice and support, as requested, on planned solutions for OS, DB and SAP.
* Patch ArcSight (ESM, Oracle and Smart Connectors)
* Ensure ArcSight connectors are running and parsing data properly
* Troubleshoot missing system logs - work with administrators/system owners to ensure log flow is reaching ArcSight system
* Custom ArcSight parsers to receive non-standard logs
* Create ad-hoc and reoccurring ArcSight reports
* Create new ArcSight content creation
* Advise on best practice for resolving Audit findings
* Work with watch officers to improve ArcSight content, reports and consolidate use cases to be more efficient
* Train watch officers to understand how ArcSight deals with specific events and best practices for resolutions
* Maintain ArcSight system and remove unused content, users, reports, etc.
* Create documentation and install new ArcSight software for new ERP ArcSight project
* Support in reviewing ArcSight configuration, rules and reports
* 3-5+ years Splunk experience architecting, configuring, deploying, and customizing the tool, preferably both in supporting the application and utilizing the application for information security monitoring, incident response, and compliance
* Experience architecting and deploying Splunk Enterprise implementations in medium to large sized customers
* Operational experience developing, installing, and managing an enterprise Splunk solution
* Operational experience in performing complex searches, developing dashboards, and providing reports within Splunk
* An in depth-understanding of security control implementation assessment and the NIST Risk Management Framework is required
* 3-5+ years Arcsight experience required
* In-depth understanding of security configuration management and audit log events on various platforms including: SAP, Hadoop, Linux, Unix, Windows, databases, and various application/web application servers
* Bachelor's degree preferred, but not required
* DOD 8570.01-M IAT Level II certification required
* Secret Security Clearance required
* Availability for occasional travel